In general, I would say, yes, it's worth it. However, here are the questions I would be asking:
1) You mention that not many people have access to the machines. How many is not many? What is the turnover among the people who have access? Is key control important to you? 2) Do you foresee a situation in the future where your systems will be accessed from the outside world, either from users at a branch office or people working from home? ssh also allows tunneling of other protocols so that you can run X11 apps securely from remote, or do POP-over-SSL, or SMTP-over-SSL, etc. These can also be done with a VPN, which will secure all your apps for external use, but VPN solutions tend to be more expensive and complicated to set up than ssh. (this, of course depends on how many boxes you're securing and other things. If you have 50 or 100 servers running proprietary apps and they all need to be accessed from remote, you'll be better off setting up a VPN). If the answer is something like this: "We have 10 users accessing the servers through a switched LAN. Our employee turnover is low, and there are no plans in the next two years to allow remote access", then no, maybe it's really not worth it. I'm not sure why going from rsh to ssh would be a hassle. If you're in a huge hurry, you can set up the accounts you would have logged into via rsh with password-free keys. The security on this is lacking, but no worse than using rsh. If you want to do it right, you can use ssh-agent to cache the key on initial startup (i.e. at boot time), and use the cached key for subsequent accesses. Hope this is helpful. Jeremy On Mon, 7 Oct 2002, Trevor Cushen wrote: > Hello all, > > Quick opinion based question. I have an switched internal network that > currently uses a lot of rcp with rsh authentication to moves files > about. Platforms are unix and nt (ftp on the nt side) > > More secure is ssh and scp for all platforms, but I have several scripts > that would all have to be re-written and a fair bit of setting up for > all the clients and servers involved throughout the organisation. > > The questions is this; > > On an internal network that is switched (making sniffing harder) is it > worth going to SSH and SCP?????? > > I am aware how to set it all up but the thing is, is it worth it. Bare > in mind also that few people have passwords to the boxes and the only > real threat is sniffing the traffic. > > All opinions welcome, > thanks > > Trevor Cushen > Sysnet Ltd > > www.sysnet.ie > Tel: +353 1 2983000 > Fax: +353 1 2960499 >
